24% of CISOs actively looking to leave their jobs

Nearly one in four enterprise security execs from the US and the UK are “looking to leave their roles,” according to a recent report by BlackFog Research.

“The combination of emerging threats, funding difficulties and personal liability is increasingly convincing security leaders to seek new positions,” the report said, adding that in addition to the 24%, “another 50% claim they are open to new offers. Altogether, the majority of security leaders would take on a new role if given the chance.”

Rob Enderle, principal analyst at technology advisory firm Enderle Group, sees the very nature of the enterprise CISO role as one with few incentives to stick around for the long term. As a result, he believes CISOs are almost always going to be actively exploring possible next moves — and not just because 77% of CISOs fear the next big breach will get them fired.

“Where do you go after reaching CSO?” Enderle said. “Your only path up is out to a different company that can afford a higher salary.”

While greater prominence for the CISO role of late has led to more dual-titled security leaders and opportunities to up-level in the C-suite, Enderle doesn’t see a lot of CSOs and CISOs becoming “CTOs, COOs, or CEOs unless they are in a security firm. So, if you are a climber, and CSOs tend to be climbers, your goal upon getting your first CSO job is to start looking for another better one,” he said.

But none of that is especially unique to CISOs and CSOs, Enderle said. 

“Upward mobility in most C-Level jobs is the same. All these jobs are either at their top in a firm or they are competing for the one CEO job. That means that retaining most top executives is somewhat problematic without pensions, which used to function as an anchor to the firm,” Enderle said. “Stock option vesting can provide some offset, but it hasn’t proven as effective as pensions once did. While bridging pensions was a method to overcome them, because pensions were assured by the company and were cash-based, it was far harder to do that than using a stock grant to bridge option vesting.”

CISOs with an eye on the exit often know what they want their next role to be. A more senior role in a similarly sized company or a similar role at a more prominent Fortune-ranked company are typical targets. But increasing burnout, frustration, and personal liability are leading to rising CISO job dissatisfaction, pushing many CISOs out the door. Some are eyeing vCISO roles due to the stress.

Even if no layoffs or firings happen, enterprise CISOs — along with CSOs and CIOs — have relatively brief average tenures, typically running anywhere from 18 months to 24 months. Some enterprise CISOs last much longer, but as the two-year anniversary approaches, many CISOs consider next moves.